A peer-based hardware protocol for intrusion detection systems

A number of intrusion detection systems have been developed to detect intrusive activity on individual hosts and networks. These systems rely almost exclusively on a software approach to intrusion detection analysis and response. In addition, the network systems developed apply a centralized approach to the detection of intrusive activity. The problems introduced by the´s approach are twofold. First the centralization of these functions becomes untenable as the size of the network increases. However, the introduction of intermediate security systems increases the number of potential targets and introduces communication delays which are unacceptable for high bandwidth data transfers. Second, and more importantly, the combination of centralization and software implementation as an approach to network intrusion detection introduces a dangerous vulnerability. As intruders gain access to the system, they target the security software itself and the centralization ensures the compromise of the entire network. The solution to these problems is a hardware implementation of a decentralized approach to intrusion detection. This paper describes the hardware platform necessary to implement such a system. It also proposes an intrusion detection protocol which would be used by this hardware to communicate relevant intrusive activity events between heterogeneous systems connected in a network or internetwork. This work is based on the Cooperating Security Managers; a peer-based approach to intrusion detection developed at Texas A&M University